My .02, for what they're worth... I'm a huge believer in ipSec tunnels and all of the magic they can provide. By using raccoon, you don't need to worry about a tunnel going down and staying down (unless you've got connectivity issues) as you can have raccoon test the connection and re-construct it if it breaks. Free routing platforms like Sophos and PFSense make this immeasurably simple. Set up a tunnel, and the magic of tunnels virtually (and privately) connects two LAN's together. You could even do a point->point if you didn't want to attach the two LAN's.
I tend to gravitate away from ssh tunneling for services as .. it's heavy (thanks, Sam). I'd tend to agree with him that it's a band-aid. It's great for remote VNC, don't get me wrong (that's what I love it for), but for services ... you're better off with a VPN of some kind (In my book). If you enable tunneling from the router side, you can set up 1:1 nat'ing and use firewalls and ACL's to limit traffic from point A to point B. -Pat On Thu, Dec 13, 2012 at 11:01 AM, Sam Hooker <[email protected]> wrote: > Hi Joe, > > I've tunneled a lot of stuff over SSH, and it's a great band-aid, but > always feels heavy-handed. My initial thought is that you're going to deal > with maintaining/distributing asymmetric crypto one way or the other. Which > is to say: You'd probably want your SSH tunnels to re-establish themselves > w/o user intervention...which likely means key-based auth (unless you've > got a Kerberos card you haven't played yet)...which isn't that much more > easily-managed than X.509 certs for TLS. Additionally, since SSH tunnels > are bad at bringing themselves back to life after link failure without > additional glue, and rsyslog probably has built-in support for addressing > that problem, rsyslog's own TLS implementation is probably a win. > > > $0.02, > > -sth > > sam hooker|[email protected]|http://www.noiseplant.com > > "To invent, you need a good imagination and a pile of junk." > Thomas Edison > > ----- Original Message ----- > > From: "joe golden" <[email protected]> > > To: [email protected] > > Sent: Thursday, December 13, 2012 10:45:00 AM > > Subject: secure remote rsyslog > > > > Anyone have any links or advice for rsyslogd over ssh? Good idea? Bad > > idea? > > > > I'm trying to set up centralized logging and might as well do it in a > > secure fashion. Rather not go through the hassle of ssl certs if not > > necessary. That said, it looks like rsyslogd with TLS > > (http://www.rsyslog.com/doc/rsyslog_tls.html) may be the way to go. > > > > I live in the Debian flavored world. > > > > Cheers with beers. > > > > -- > > Joe Golden /_\ www.Triangul.us /_\ websites with class > > >
